|
# |
|
# http://openvpn.net/index.php/open-source/documentation/howto.html#quick |
|
# |
|
# http://openvpn.net/index.php/open-source/documentation/howto.html |
|
# |
|
|
|
# Which TCP/UDP port should OpenVPN listen on? |
|
# If you want to run multiple OpenVPN instances |
|
# on the same machine, use a different port |
|
# number for each one. You will need to |
|
# open up this port on your firewall. |
|
# (1194 is the default but on some APN networks this is blocked) |
|
port 21194 |
|
|
|
# TCP or UDP server? |
|
proto udp |
|
|
|
# "dev tun" will create a routed IP tunnel, |
|
# "dev tap" will create an ethernet tunnel. |
|
# Use "dev tap0" if you are ethernet bridging |
|
# and have precreated a tap0 virtual interface |
|
# and bridged it with your ethernet interface. |
|
# If you want to control access policies |
|
# over the VPN, you must create firewall |
|
# rules for the the TUN/TAP interface. |
|
# On non-Windows systems, you can give |
|
# an explicit unit number, such as tun0. |
|
# On Windows, use "dev-node" for this. |
|
# On most systems, the VPN will not function |
|
# unless you partially or fully disable |
|
# the firewall for the TUN/TAP interface. |
|
dev tun |
|
|
|
# SSL/TLS root certificate (ca), certificate |
|
# (cert), and private key (key). Each client |
|
# and the server must have their own cert and |
|
# key file. The server and all clients will |
|
# use the same ca file. |
|
# |
|
# See the "easy-rsa" directory for a series |
|
# of scripts for generating RSA certificates |
|
# and private keys. Remember to use |
|
# a unique Common Name for the server |
|
# and each of the client certificates. |
|
# |
|
# Any X509 key management system can be used. |
|
# OpenVPN can also use a PKCS #12 formatted key file |
|
# (see "pkcs12" directive in man page). |
|
ca ca.crt |
|
cert server.crt |
|
key server.key |
|
|
|
# Diffie hellman parameters. |
|
# Generate your own with: |
|
# openssl dhparam -out dh1024.pem 1024 |
|
# Substitute 2048 for 1024 if you are using |
|
# 2048 bit keys. |
|
dh dh1024.pem |
|
|
|
# Configure server mode and supply a VPN subnet |
|
# for OpenVPN to draw client addresses from. |
|
# The server will take 10.8.0.1 for itself, |
|
# the rest will be made available to clients. |
|
# Each client will be able to reach the server |
|
# on 10.8.0.1. Comment this line out if you are |
|
# ethernet bridging. See the man page for more info. |
|
server 10.20.30.0 255.255.255.0 |
|
|
|
# Push routes to the client to allow it |
|
# to reach other private subnets behind |
|
# the server. Remember that these |
|
# private subnets will also need |
|
# to know to route the OpenVPN client |
|
# address pool (10.8.0.0/255.255.255.0) |
|
# back to the OpenVPN server. |
|
push "route 130.132.0.0 255.255.0.0" |
|
push "route 172.28.0.0 255.255.0.0" |
|
push "dhcp-option DNS 130.132.1.9" |
|
|
|
# Maintain a record of client <-> virtual IP address |
|
# associations in this file. If OpenVPN goes down or |
|
# is restarted, reconnecting clients can be assigned |
|
# the same virtual IP address from the pool that was |
|
# previously assigned. |
|
ifconfig-pool-persist ipp.txt |
|
|
|
# The keepalive directive causes ping-like |
|
# messages to be sent back and forth over |
|
# the link so that each side knows when |
|
# the other side has gone down. |
|
# Ping every 10 seconds, assume that remote |
|
# peer is down if no ping received during |
|
# a 120 second time period. |
|
keepalive 10 120 |
|
|
|
# Enable compression on the VPN link. |
|
# If you enable it here, you must also |
|
# enable it in the client config file. |
|
comp-lzo |
|
|
|
# It's a good idea to reduce the OpenVPN |
|
# daemon's privileges after initialization. |
|
# |
|
# You can uncomment this out on |
|
# non-Windows systems. |
|
user nobody |
|
group users |
|
|
|
# The persist options will try to avoid |
|
# accessing certain resources on restart |
|
# that may no longer be accessible because |
|
# of the privilege downgrade. |
|
persist-key |
|
persist-tun |
|
|
|
# Output a short status file showing |
|
# current connections, truncated |
|
# and rewritten every minute. |
|
status openvpn-status.log |
|
|
|
# Set the appropriate level of log |
|
# file verbosity. |
|
# |
|
# 0 is silent, except for fatal errors |
|
# 4 is reasonable for general usage |
|
# 5 and 6 can help to debug connection problems |
|
# 9 is extremely verbose |
|
verb 3 |
|
|
|
# Uncomment this directive to allow different |
|
# clients to be able to "see" each other. |
|
# By default, clients will only see the server. |
|
# To force clients to only see the server, you |
|
# will also need to appropriately firewall the |
|
# server's TUN/TAP interface. |
|
client-to-client |
|
|
|
# Uncomment this directive if multiple clients |
|
# might connect with the same certificate/key |
|
# files or common names. This is recommended |
|
# only for testing purposes. For production use, |
|
# each client should have its own certificate/key |
|
# pair. |
|
# |
|
# IF YOU HAVE NOT GENERATED INDIVIDUAL |
|
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, |
|
# EACH HAVING ITS OWN UNIQUE "COMMON NAME", |
|
# UNCOMMENT THIS LINE OUT. |
|
duplicate-cn |
|
|
|
# Which local IP address should OpenVPN |
|
# listen on? (optional) |
|
local ip.addr.of.host |